Forum Discussion

PJR_CDF's avatar
PJR_CDF
Iron Contributor
Dec 17, 2019

MDATP Integration - Unsanctioned Apps - Allow for some users?

Hi,   I've reviewed the documentation @ https://docs.microsoft.com/en-us/cloud-app-security/governance-discovery in relation to blocking unsanctioned apps - specifically using MDATP on Win10 endpoi...
Cloud App Security
Cloud Discovery
PJR_CDF's avatar
PJR_CDF
Iron Contributor
Dec 19, 2019

Thanks Dean_Gross 

 

I can see how you can scope/filter some policy types to specific users and groups, but the exact scenario I am looking for as an example is, say I have a group of users I want to allow access to Jira for and block for all other users.

 

If I tag Jira as an unsanctioned app in the Cloud app catalog, I assume this blocks it for all users.

 

How can I create a policy to block for all users except a specific group?

 

If I search the cloud app catalog for atlassian Jira and choose "create policy from search" to scope the policy to Jira specifically, the criteria you can choose from to build your filter within the policy doesn't include the ability to add user or group scoping filters as shown in the attached screen grab.

 

I cant see that scoping sanctioned and unsanctioned apps per user/group is possible in this manner

 

If I create an access control policy I can scope the policy to specific users but the apps I can choose from are only the apps I have onboarded to Azure AD, not the entire list of apps from the cloud app catalog.

 

Thanks

 

Paul

shoando's avatar
shoando
Brass Contributor
Jan 26, 2021

PJR_CDF You can register the Indicator to allow the URL with a specific device group. 

  • Cristian Calinescu's avatar
    Cristian Calinescu
    Brass Contributor
    Jan 26, 2021

    shoando - That would not be a solution for us due to the limitations that a device can be a member of only one device group. Because we are also using MDATP web content filtering and we have the web content filtering policies deployed to several device groups for granularity. So you can imagine that if a user has the device in a group where a web content filtering policy is applied that for example blocks all categories but allows access to web mail, and the same user wants access to an Unsanctioned app (that's blocked via indicator on all devices) we cannot achieve this as if we do an allow indicator for that unsanctioned app and apply it to the group of devices that permits web mail access via web content filtering that would give access to the unsanctioned  app to all devices in that group. And since a device can be a member of only one group we cannot do this. 

    And this example is just for one user. Imagine when you have 300 users that each want to access 30-40 different unsanctioned apps :). Hope the above makes sense.

    • shoando's avatar
      shoando
      Brass Contributor
      Jan 27, 2021

      Cristian Calinescu You're right. Sorry, I can't find a solution. :'(

Resources